It’s occurred to me this afternoon that there may be thousands and
thousands of people out there who have not changed the default
passwords on their broadband routers, leaving them potentially exposed
to a denial of service attack. It wouldn’t take much for someone to
write a script that scanned a ranged of addresses for an open port 80
and then attempted to connect with a series of default passwords. Once
logged in the script could maliciously change the user’s settings and
knock them off the Internet and deny them access to their own router
config.

I discovered this while using BitTorrent – I noticed I had a connection
open to someone on the same ISP network as myself, PlusNet (let’s call
them Mr Bean). Me being a nosey old sod I wanted to have a look at
their web site so I opened a browser and typed in mrbean.plus.com – of
course this didn’t actually take me to their web space on the PlusNet
home page server but to the actual ADSL WAN address on their router –
however I got challenged for a username and password.

"This looks interesting" I thought!

So I tried a few random passwords but didn’t get anywhere, until I hit
"Cancel" – then I got the "failed authorisation" page from the web
server which revealed it was running a "Hasbani" web server. No idea
what that was so I did a Google and found it’s the built-in generic web
server for many Connexant based routers. A bit more googling turned up
the default username and password, "admin" and "epicrouter". Now I’m
think "I wonder…" so I typed them in and bingo, I’m logged straight
into this person’s router. Now I can access all their settings, change
the password, change their ISP connection string, change the DNS, DHCP
and IP settings, generally completely screw it all up!

Now I’m not a malicious person so didn’t do anything, but it just goes
to show that there’s a lot of ignorance out there and these people
could EASILY be knocked off without any problem whatsoever. Imagine a
script that did this to thousand’s of people, those people would suffer
outages and probably end up ringing the ISP helpline, causing a
knock-on effect as the helpdesk becomes overwhelmed with calls.

I think the only way to force people to change the password is to have
a big sticker on the router itself warning people to change the
password, or maybe even have a transparent proxy so that the first time
someone tries to access the Internet via one of the switch ports they
get taken to a page where they are forced to change it – after it’s
changed, the transparent proxy is disabled and only re-enabled if a
factory reset is performed.

I think it’s only a matter of time before some malicious individual
starts attacking Internet users in this way. It may already be
happening!